As you have likely heard in the news over the past two days, critical vulnerabilities to a variety of processor hardware/firmware exist and details of this have been released to the public. The vulnerabilities, Meltdown and Spectre (CVE-2017-5715 / CVE-2017-5753 / CVE-2017-5754) have been there for several months, but only now are being made public as vendors were given the opportunity to implement mitigations before publication.

What is my exposure?

What’s at the heart of these vulnerabilities is that a successful attack will provide read access to unencrypted data in CPU registers (memory). The attack exploits the speculative computations that processors perform in an attempt to speed up overall workload throughput. It means that the processors have access to unencrypted data in registers and the attacks are able to prey on the way these speculative computations work and thus gain access to the unencrypted data as well. These are called “side channel” attacks.

For Meltdown, the processors affected are made by Intel, dating all the way back to processors made in 1995. For Spectre however, this seems to affect all chip manufacturers although AMD denies this or rather claims the exposure is minimal. The US Computer Response Readiness Team (US-CERT) maintains a list of vendors and their responses/mitigations to these two vulnerabilities as well as basic guidance on how to handle them. This can be found at: https://www.us-cert.gov/ncas/alerts/TA18-004A (check periodically for updates) and the current table with links to vendors is provided further down in this notice. It should be re-iterated that Spectre affects almost all processors, including mobile platforms (android, etc.) although iPhones and iPads seem unaffected (SANS - Spectre and Meltdown).

Probably the most alarming thing is that Mozilla (Firefox) has confirmed that these vulnerabilities can be exploited remotely by embedding attack code in JavaScript files delivered via web pages. Other browsers are at risk as well and while Mozilla has already put mitigations in place as of November of 2017, Google Chrome has not. It is important that you implement any browser patches for the vulnerabilities once they are available, of course following your patching process.

How do I protect myself?

During this time, rest assured that BlackStratus continues to be proactive and is continually monitoring your systems/your customer’s systems for any signs of malicious activity. We are also proactively searching for any newly published Indicators Of Compromise specific to Meltdown and Spectre and are incorporating these into our rulesets in order to maximize detection capabilities.

However, the most important thing to do is to validate your system inventory and systematically patch those systems and applications at risk as vendors make patches available.

Microsoft has already released patches this week for its operating systems and the edge browser in advance of Patch Tuesday next week. However, it is critical that you validate whether or not your Anti-Virus product is compatible with those patches. If it is not, it is possible that after reboot the patched system will result a system crash displaying the BSOD (Blue Screen of Death). Microsoft has an AV Compatibilty Note on how to proceed before implementing the patches. By default, systems will not be able to implement the patches unless their AV vendor explicitly sets a particular registry key that confirms compatibility. Also, if the deployed machine was not manufactured by Microsoft, likely a system firmware update will be required as well in order for the mitigation to be effective. Microsoft recommends reaching out to your device manufacturer for further details.

For users of MacOS and iOS, Apple already released patches in December of 2017. However, no patches have yet been provided for the Safari browser, which remains vulnerable to the remote exploit mentioned above. Apple expects to release this shortly.

Another consideration to be made in advance of implementing vendor patches for this vulnerability is performance. For modern processors its less of on an issue but for older processors, the impact on performance could be as much as a 30% decrease in throughput. The impact however is highly dependent on the particular workload that is running on the system so if possible; this should be tested in advance of implementation, especially on older or heavily loaded systems.